[Snort-devel] Re: MIB/SMNP Issue

larosa, vjay larosa_vjay at ...1127...
Sun May 12 12:30:03 EDT 2002


This is something that I notced a while ago, Here is the mail that went out.



Cut-------------------------------------------------------------------------
--

Yep, this is still a problem. I have a half a$$ workaround with netcool
becuase it does not
use mibs. You have to write your own reciever code to break up the traps in
to variables,
but since I upgraded from 1.8.5 to 1.8.6 the variables have yet again
shifted around on me.
I am just finishing up my netcool code cleanup now. It would be very nice if
the SNMP trap code would be consistent when sending traps so we knew what
would be in which var each time traps
were sent.

vjl

-----Original Message-----
From: Metz, Tim [mailto:TMetz at ...1370...]
Sent: Wednesday, May 01, 2002 8:21 AM
To: Martin Roesch; Vjay LaRosa; snort-users at lists.sourceforge.net;
snortsnmp at ...1085...
Subject: RE: [Snort-users] Snort SNMP Variables are not consistent?


Searching though the archives I came across this thread and I am having the
same problem. It seems that if a variable is empty  all the string numbers
decrement - poor description but I think you know what I mean.

For example, if $8 is supposed to be src ip but $7 is empty then $7 becomes
src ip. I'm still confirming this is the pattern.

I use snort 1.8.7 build 108 and am sending v2c traps (alerts not informs) to
HP Openview.

Marty: not try to suck a$$ but your portion was definitely the best at SANS
in Orlando.


Thanks,

Tim Metz
PanAmSat Atlanta
+1-404-381-2828


-----Original Message-----
From: Martin Roesch [mailto:roesch at ...402...]
Sent: Friday, March 15, 2002 7:09 PM
To: Vjay LaRosa; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort SNMP Variables are not consistent?


Geez man, give us a chance!  I don't normally run SNMP alerting and I have
to setup a test environment here to check it out, gimme a little time and
I'll get on it.

    -Marty

On 3/15/02 4:18 PM, "Vjay LaRosa" <vjayl at ...1127...> wrote:

> O.Kay,
> 
> I give up. I guess nobody else that sends SNMP traps with snort has
> noticed this. If any one knows why it is doing
> this I would appreciate it. Or at least if someone else sees the same
> thing let me know.
> 
> vjl
> 
> 
> 
> Vjay LaRosa wrote:
> 
>> Hello,
>> 
>> Is any one else using snort 1.8.4 Beta-4 to send SNMP traps? I have
>> snort configured to trap to our Netcool
>> Omnibus server.
>> 
>> Originally snort 1.8.4 Beta-1 was sending the following information in
>> these variables.
>> 
>> $8      Src IP
>> $10    Dst IP
>> $11    Src Port
>> $12    Dst Port
>> 
>> But now that I upgraded I noticed that some alerts use this as their
>> variable mappings,
>> 
>> $7      Src IP
>> $9      Dst IP
>> $10    Src Port
>> $11    Dst Port
>> 
>> but some alerts are still sent using the old format. What's up with
>> this? Am I crazy or is something not right?
>> 
>> vjl
>> 
>> --
>>  V.Jay LaRosa                           EMC Corporation
>>  Systems Administrator                  171 South Street
>>  (508)435-1000 ext 14957                Hopkinton, MA 01748
>>  (508)497-8082 fax                      www.emc.com
>> 
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> --
> V.Jay LaRosa                           EMC Corporation
> Systems Administrator                  171 South Street
> (508)435-1000 ext 14957                Hopkinton, MA 01748
> (508)497-8082 fax                      www.emc.com
> 
> 
-----Original Message-----
From: Rob Hughes [mailto:rob at ...825...]
Sent: Sunday, May 12, 2002 3:29 AM
To: Glenn Mansfield Keeni
Cc: snort-devel at lists.sourceforge.net; roesch at ...402...
Subject: [Snort-devel] Re: MIB/SMNP Issue


On Sat, 2002-05-11 at 19:54, Glenn Mansfield Keeni wrote:
> Rob,
> 
> Rob Hughes wrote:
> 
> This does not seem to be the correct direction. If you will let me know
> what is the problem with the intergration.  I can try to help.

Still digging, and still finding weirdness. Attached is a text file of a few
events 
dumped from OVO for comparison. Notice that some of the variables are not
passed 
consistently in the traps. In particular, the src/dst mac, port and address
seem to 
be passed differently in some of the traps. Why is this?




More information about the Snort-devel mailing list